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Ithough international cyberspace espionage has been around for decades, 



offensive cyberspace operations (OCO) designed to create wartime effects 


-Z. A^are relatively nascent. The USAF added cyberspace as a domain in which it 
would "fly, fight, and win" to its mission statement in 2005, but the development of 
a sizable military OCO force in the US did not begin in earnest until the establish¬ 
ment of US Cyber Command (USCYBERCOM) in 2010. Meanwhile, only a few inter¬ 
national examples of successful OCO integration into military operations have yet 
been made public. For example, OCO suppressed Syrian air defenses during the 
2007 Israeli air strikes and coordinated OCO bolstered the 2008 Russian invasion of 
Georgia.^ As USCYBERCOM reaches full operational capability, it is imperative that 
it conduct OCO, not only in accordance with international law, but also in an ethi¬ 
cally responsible manner. 

The most comprehensive study to date on the applicability of international law 
to cyberspace conflict is the Tallinn Manual 2.0 on the International Law Applicable to 
Cyber Operations, in which 19 legal experts under the direction of Professor Michael 
Schmitt derived 154 black-letter rules from existing law.^ The legal experts reached 
a consensus on 108 of these rules, including some straightforward applications of 
the Law of Armed Conflict (LOAC) to civilian protections. Legal opinions were divided 
on the remaining 46 rules, 9 of which had significant aspects relevant to OCO but also 
eluded a majority opinion. This article recommends an ethical decision-making tool 
for OCO and uses those contentious nine legal rules from the Tallinn Manual 2.0 as 
example cases to consider ethical and sustainable norms in cyberspace. 

Ethical and Legal Norms for Offensive Cyberspace Operations 

The first ethical analysis of OCO by a moral philosopher was by philosophy pro¬ 
fessor Dr. Randall Dipert in 2010.^ In his work, Dipert articulated three of the most 
challenging aspects of OCO: operations can be nonattributable, defenses are expen¬ 
sive and failure-prone, and there are no rare or exotic components in OCO weapons 
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that could inhibit their proliferation. Dipert also argued that existing international law 
and Just War Theory do not straightforwardly apply to OCO. Militaries can dramatically 
weaken opponent forces using OCO without necessarily causing death or permanent 
property damage, and thus circumvent the casus belli of traditional Just War Theory. 
Most importantly, Dipert predicted a long period to come of "low-level, multilateral 
cyberwarfare, a Cyber Cold War, as a game-theoretic equilibrium is sought.'"* 

Dr. Brian Mazanec, a defense and strategic studies professor, came to a similarly 
bleak conclusion in his rebuttal to optimism about international cooperation and 
order in cyberspace: "norm evolution theory for emerging-technology weapons 
leads one to conclude that constraining forms for cyberwarfare. . . may never suc¬ 
cessfully emerge."® The principal actors for OCO include the US, China, and Russia, 
none of which consider the emergence of constraining norms that would curtail 
sovereign options to be in their self-interest.® 

Russia and the US appear to be trending toward a consensus that OCO: (1) should 
never deliberately harm civilians and civilian infrastructure, (2) should be directed 
at legitimate military targets with the aim of minimizing collateral damage, (3) are 
equivalent to kinetic attacks of equal harm, and (4) is constrained by the principle 
of economy of force.^ Unsurprisingly, these rules also appear in the Tallinn Manual 
2.0 with substantial legal expert consensus. 

Perhaps no legal area concerning OCO is more contested than that of jus ad helium 
(right to war), or what OCO actions could trigger armed conflict. While China and 
the US have officially agreed to "pursue efforts to further identify and promote ap¬ 
propriate norms of state behavior in cyberspace," a significant divide exists between 
the Chinese and US positions on OCO use of force.® For example, the Chinese posi¬ 
tion is a strict positivist reading of the United Nations (UN) Charter's prohibition on 
the use of force, and in March 2017 the first official Chinese cyber strategy called on 
all states to avoid cyberspace militarization.® Conversely, the US position is that the 
"inherent right of self-defense potentially applies against any illegal use of force" 
(emphasis added).*® The perspective of the Tallinn Manual 2.0 falls between the Chi¬ 
nese and US extremes concerning the use of force; the Tallinn Manual 2.0 reflects 
the position in the 1986 International Court of Justice case of Nicaragua v. United 
States that there is a difference between "use of force" as used in Article 2(4) of the 
UN Charter and "armed attack" that justifies self-defense under Article 51.** China, 
thus, rejects the Tallinn Manual 2.0 perspective as too permissive, and the US rejects 
the same perspective as too restrictive. 

A compelling solution to the challenge of normalizing international OCO without 
imposing stipulations is to follow the successful example of how the 2009 Montreux 
Document on Pertinent International Legal Obligations and Good Practices for States Re¬ 
lated to Operations of Private Military and Security Companies during Armed Conflict 
addressed private security companies.*^ The Montreux Document underscored best 
practices that developed from the failure of existing laws and regulations rather than 
assert policies and restrictions on state operations. Events such as the 2007 Nisour 
Square incident in Baghdad, when US military contractors killed 17 civilians while 
escorting an embassy convoy, fostered international resolve to clarify "what the role 
for [private military and security companies] in armed conflicts is and should be."*® 
The first half of the Montreux Document outlined pertinent legal obligations, and the 
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second half outlined good practices for states to follow that were not legally binding. 
The Montreux Document stated early on that it was not the final word on the matter, 
but that this was also never the intention.^'* Cyberspace is a domain different from 
all others in that the US is no longer the single dominant state for force projection; 
the multipolar nature of power and influence in cyberspace means that norms can 
only emerge from the shared objectives of all principal actors involved. 

Original Position and Ethical Offensive Cyberspace Operations 

Moral and political philosopher John Rawls introduced the original position as a 
central feature of his landmark book, A Theory of Justice, in 1971.'® In this book, 
Rawls described a thought experiment, in which parties select principles of the so¬ 
ciety they will live in, but behind a "veil of ignorance" as to their individual ethnic¬ 
ity, social status, gender, and lifestyle. The idea behind the original position is that 
parties are forced to select societal principals that will be rational and fair since the 
parties do not know their ultimate position in the society undergoing design. Rawls 
understood that human nature is essentially self-centered, so the determination of 
what is fair must be made without consideration of personal privilege. 

In cyberspace, there is no singularly dominant state, and OCO is largely nonat- 
tributable. None of the principal actors, therefore, have a privileged role to play in 
formalizing international norms. The situation closely mirrors that of the original 
position described by Rawls; the future balance of power in cyberspace is unknowable. 
The US, China, and Russia should leverage original-position thought experiments to 
determine what guidelines for OCO would be considered fair and sustainable to the 
international community as a whole. 

Nine Test Cases for Ethical Offensive Cyberspace Operations 

This section examines nine of the rules applicable to cyberspace operations for 
which expert opinion was thoroughly divided based on current law. Using the prin¬ 
cipal of the original position as an ethical decision-making tool for responsible state 
behavior, this section proposes behaviors with respect to each rule that will contrib¬ 
ute to a fair, sustainable, and responsible normalization of cyberspace. 

Rule 4; Violation of Sovereignty 

According to international law, a state must not conduct cyberspace operations 
that violate the sovereignty of another state. On this point, the international group of 
experts was divided on whether a cyberspace operation that "results in neither phys¬ 
ical damage nor the loss of functionality" amounts to a violation under this rule.'® 

A widely underappreciated fact about OCO is that detailed intelligence collection 
of the cyberspace environment is a fundamental prerequisite to force projection in 
the domain. Intelligence collection in cyberspace, just like its predecessors—human 
intelligence, imagery intelligence, and signals intelligence operations—is instru¬ 
mental to collective international security. Thus, all of the primary actors presently 
execute invasive, yet nonharmful intrusions, into adversary cyberspace to perform 
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reconnaissance, gather intelligence, and to prepare OCO options for senior leadership 
in the event of armed conflict. As Simon Chesterman, the dean and law professor at 
the National University of Singapore Faculty of Law, succinctly put it, the "collection 
of intelligence is more than tolerated, and may actually he encouraged.The uni¬ 
versality of intelligence collection operations into adversary cyberspace occur with 
tacit international acceptance, in part, because accurate intelligence can help miti¬ 
gate collateral damage and political miscalculations. From the original position, 
such maneuvers in cyberspace are apparent as an ethical necessity of the domain. 

Rule 9: Territorial Jurisdiction 

A state may exercise territorial jurisdiction over cyberspace infrastructure and 
persons engaged in cyberspace activities on its territory; cyberspace activities origi¬ 
nating in, or completed on, its territory; or cyberspace activities having a substantial 
effect in its territory.^® Under this rule, the international group of experts could not 
determine whether a state may exercise jurisdiction over data that simply traverses 
its territory en route to the intended destination. 

A point not specifically addressed within the discussion regarding Rule 9 is that 
sensitive data in transit is frequently encrypted and is almost certainly encrypted 
when in support of OCO. In any event, the states through which the associated data 
passes are both arbitrary and temporally dynamic as a result of network best-effort 
routing. The transited states are furthermore unaware of the specific content of en¬ 
crypted messages passing through their territorial cyberspace infrastructure. Pragmati¬ 
cally, the opportunities and motivations of transited states to seek jurisdiction will be 
relatively rare, and thus can be ethically addressed on a case-by-case basis, in "a rea¬ 
sonable fashion and with due regard for the interests of other states," as proposed by 
the international group of experts.^® From the original position, it is clear that the 
primary actors would not select to relinquish jurisdiction to other states based on arbi¬ 
trary or constantly changing data traversal of state network infrastructure. 

Rule 22: Limitations on Countermeasures 

Countermeasures conducted in cyberspace, as in other domains, must not violate 
fundamental human rights, amount to belligerent reprisals, violate peremptory 
norms, or violate diplomatic or consular inviolability.^® While the bulk of the limita¬ 
tions on countermeasures discussion is unambiguous, the international team of ex¬ 
perts could not reach a consensus on the applicability of the right to privacy as a fun¬ 
damental human right, and therefore a limit on legal countermeasures. The Tallinn 
Manual 2.0 points out that "whether or how human rights apply extraterritorially is 
unsettled and controversial."^^ 

Despite the efforts of privacy advocates globally, the principal actors in cyber¬ 
space currently do not interpret privacy rights as applying extraterritorially, with 
the exception of reciprocal protections codified by treaty. States such as China and 
Russia do not appear to value privacy as even fundamental human right of their 
own citizens. Any attempt by a state to unilaterally impose extraterritorial privacy 
rights on international cyberspace would be futile for the foreseeable future, a fact 
that is evident from the original position. The ethical and responsible norm is. 
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therefore, for a state to select the most effective countermeasures available, while 
fully respecting widely-accepted human rights and also respecting privacy rights to 
the extent obligated by treaty and domestic law. 

Rule 34: Applicability 

Simply stated, international human rights law applies to cyberspace activities. 
Here, the international group of experts was split as to whether international hu¬ 
man rights treaties that do not explicitly address extraterritoriality nevertheless im¬ 
pose such obligations on the signatories. 

From the perspective of any principal actor in the original position, it is difficult 
to fathom a decision to surrender sovereign options based on restrictions to which 
they did not expressly agree. The ethical norm acceptable to every state is to oper¬ 
ate within the confines of treaty obligations and international law but to also seek 
additional international frameworks to defend human rights where practicable. 

Rule 39: Inviolability of Premises in Which Cyberspace Infrastructure 
is Located 

The international group of experts concluded that cyberspace infrastructure 
within embassies and consular posts is protected by the inviolability that applies to 
such diplomatic locations.^^ What was not entirely clear was whether states have an 
international obligation to respect the inviolability of diplomatic missions or consular 
posts in other states, since the establishment of embassies and the like are primarily 
based on a bilateral relationship between host and hosted state. 

As the anecdote goes, Willie Sutton responded to the question as to why he 
robbed banks: "That's where the money is." Similarly, diplomatic missions are trea¬ 
sure troves of important information regarding state activity and intent. It is no 
wonder that Soviet intelligence services positioned electromechanical keyloggers in 
US embassy typewriters, within Soviet territory no less, during the late 1970s.^® 
While the physical inviolability of diplomatic premises is an established international 
norm, cyberspace inviolability is clearly not consistent with state practice by the 
primary actors. Any state in the original position would appreciate the utility of non¬ 
destructive cyberspace operations within embassies and consular posts to gather in¬ 
telligence on hosted state motives, activities, and capabilities. Nevertheless, victim 
states also retain the right to protest whenever such activity is exposed. Ethical cyber¬ 
space operations can reasonably include maneuvers within diplomatic premises 
when carried out without causing damage. 

Rule 46: The Right to Visit and Cyberspace Operations 

International law establishes that all states have the right to board a vessel on the 
high seas or in an exclusive economic zone without flag state consent if the vessel 
is suspected of piracy, slave trading, unauthorized broadcasting, is without national¬ 
ity, or is of the nationality of the visiting vessel.^® An interesting, yet unresolved, 
legal question, is whether a right of visit can be carried out through OCO from the 
visiting warship.^^ 
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OCO-enabled virtual visits have some potential to be less invasive than physical 
searches and pose less physical risk to both crews. On the other hand, a virtual visit 
is not consistent with the plain text of the law and could actually be more informa¬ 
tionally invasive than a physical boarding, since OCO could easily retrieve per¬ 
sonal, commercial, and financial files completely irrelevant to determining vessel 
nationality or confirming maritime criminal activity. While physical maritime visits 
are both announced and clearly visible, virtual visits could be announced or unan¬ 
nounced. Moreover, any ship threatened in advance of a virtual visit via OCO could 
naturally take countermeasures, such as powering off noncritical systems. If OCO 
was successful despite specific countermeasures, that fact, too, could be revealed, 
making future virtual visits ever more challenging. OCO-savvy states may even be 
incentivized to operate honeypot vessels designed to incite virtual visits from other 
states to discover and proliferate novel OCO techniques. 

This rule, in particular, highlights the value of the original position in deducing 
ethical OCO behavior. The specter of military vessels hacking into foreign private 
and commercial vessels on the high seas under the auspices of right to visit is one 
that none of the primary actors would find acceptable and is thus unethical. 

Rule 122: Perfidy 

Perfidy is the use of treacherous deception to kill, injure, or capture an adversary 
by falsely claiming protected status, and it is prohibited for OCO.^® The prohibition 
on perfidy is codified in customary international law for both international and 
noninternational armed conflict and also appears in Article 23(h) of the Hague Con¬ 
ventions.^® However, the international group of experts was split as to whether the 
perfidious act must actually result in adversarial death or injury to be prohibited. 
ICRC commentary asserts that "it seems evident that the attempted or unsuccessful 
act also falls under the scope of this prohibition" based on the 1977 Protocol I sup¬ 
plement to the Geneva Conventions.®® Adding to the complexity of the perfidy issue 
is that the US is not a signatory to the Protocol I, although China and Russia (and 
more than 50 other states) are. The contrasting legal viewpoint is that the plain text 
of the Hague Conventions and Protocol I explicitly describe death, injury, and cap¬ 
ture as consequences of prohibited perfidy. Given the inherent deception and se¬ 
crecy required by all forms of OCO, it is not surprising that scholars have struggled 
to determine what constitutes perfidy in the cyberspace domain. 

USCYBERCOM cannot conduct OCO from publicly-known Internet Protocol ad¬ 
dresses at the Pentagon directly against its targets and expect to have any success at 
all; OCO necessitates masquerading and maneuvering through the "gray space" be¬ 
tween friendly "blue" and adversarial "red" cyberspace terrain. Cybersecurity re¬ 
searcher Heather Roff took an uncommon stance on these facts, arguing that OCO 
erodes the minimal trust necessary between belligerents and that "any use of a cyber¬ 
weapon that results in the killing, wounding, or capture of an adversary is imper¬ 
missible."®® Naval Postgraduate School professor Neil C. Rowe also argued that many 
forms of OCO involve perfidy.®® Regarding covert action, under which many OCO 
may be categorized, former National Intelligence Council chairman Gregory Tfeverton 
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wondered how "covert action, even if justifiable. . . can be reconciled with democratic 
principles," and political theorist Charles Beitz lamented whether "the capacity to 
conduct covert operations in peacetime should properly belong to the executive 
branch at all."^^ 

Alternatively, many other experts, including Dipert, argue that the OCO makes 
frequent use of ruses rather than perfidy, and ruses are permitted under interna¬ 
tional law. The Tallinn Manual 2.0 identifies the following examples of OCO ruses: 
(1) the creation of simulated forces, (2) the transmission of false information to lead 
the adversary that operations are about to occur, (3) the use of false computer iden¬ 
tifiers such as network addresses, (4) feigned OCO not intended to induce terror, (5) 
bogus orders, (6) psychological operations, (7) transmitting false intelligence, and 
(8) the use of enemy codes, signals, and passwords.^'’ Importantly, the international 
group of experts reached a consensus on this latter interpretation of ruse versus 
perfidy in the cyberspace domain, and thus it carries significant weight. 

International law, thus, allows for the extensive use of deception and ruses 
within OCO, but the question remains as to whether or not cyberspace-enabled per¬ 
fidy that does not kill, injure, or capture is ethically permissible. Here, again, the 
use of the original-position thought experiment is illuminating; perfidy is prohibited 
because treachery undermines the value and trust in acts of good faith, such as the 
raising of a white flag of surrender. No state would endorse perfidy from the origi¬ 
nal position, lest it be permitted against themselves. Regardless of how tactically 
advantageous it may be to use OCO to broadcast a false report of a cease-fire to con¬ 
fuse an adversary during an intense armed conflict, such actions, whether they ulti¬ 
mately result in death, injury, or capture, are definitively unethical. 

Rules 124-125: Improper Use of the Protective Indicators and UN Emblem 

It is prohibited to make improper use of protective indicators that are set forth 
under the LOAC, such as the American Red Cross and Red Crescent.^® Likewise, the 
unauthorized use of the UN emblem is prohibited. The international team of ex¬ 
perts approached the application of these rules in cyberspace in two ways. Some 
experts interpreted the text of the law to narrowly apply to protective indicators 
such as graphics, while the other experts followed a teleological interpretation that 
broadly included Internet domain names and text indicators as well.®® An example 
described in the Tallinn Manual 2.0 is that of a phishing email spoofed to appear 
from the ICRC website to evade adversary email filters; falsified use of the Red 
Cross domain name in an OCO would be unlawful based on the second legal ap¬ 
proach but not to the first. 

Under the Rome Statute of the International Criminal Court, intentional attacks 
against humanitarian assistance personnel are war crimes.®^ Humanitarian relief to 
civilian populations is essential—both during and after armed conflict—to prevent 
starvation and provide treatment to the wounded and sick. The ICRC’s respected 
impartiality allowed it to provide 2,100 tons of assistance to thousands of displaced 
civilians in Crimea throughout 2017.®® Any operations that undermine trust in the 
protected nature of humanitarian organizations or the UN fundamentally jeopardize 
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humanitarian assistance and peacekeeping activities and, therefore, would he consid¬ 
ered unethical from the original position hy any of the primary actors. The improper 
use of protective indicators and the UN emblem must he avoided within OCO. 

Although not directly related to Rules 124 and 125, the US Department of Defense 
Law of War Manual states that the false use of journalist credentials to feign civilian 
status to facilitate spying or sabotage is not technically prohibited.^® The US has not 
announced any intent to make use of such deceptions in cyberspace, but the per¬ 
spective of the original position can give leaders insight into the ethical soundness 
of such deception during the joint planning process. After all, journalists are permit¬ 
ted under international law to obtain identity cards that verify their default status as 
noncombatants."‘° Would it be ethical to undermine journalist protections under Ad¬ 
ditional Protocol I, to which the US is not a party, but for which the official US posi¬ 
tion is that it supports and respects this important principle?"*^ 

Conclusion 

Current military OCO mission planning courses gloss over the LOAC as if it ap¬ 
plied perfectly to cyberspace and had resolved all potential ethical quandaries in 
store for USCYBERCOM. As this article has shown, the legal landscape is more po¬ 
rous than generally appreciated, and the need for ethically-minded leadership is es¬ 
sential in this legal gray zone. Military judge advocate generals tasked to "find a way 
to yes" for their commanders do so with the privilege of a contemporary—if tenu¬ 
ous—US supremacy in the physical domains of air, land, sea, and space as they pro¬ 
vide guidance on legal force projection. Cyberspace is different. In cyberspace, the 
US is simply one of several principal actors, and additional states are rapidly grow¬ 
ing their forces to join the fray. Every experiment sets a precedent as the interna¬ 
tional norms of behavior codify. The focus should be toward reflective rather than 
assertive thinking, following the example set forth by the Montreux Document. Se¬ 
nior leaders must use ethical reasoning in addition to their legal guidance in the 
years ahead to ensure that force projection through OCO is made responsibly and 
sustainably. Tb these ends, the use of the original-position thought experiment can 
be a valuable ethical decision-making tool. O 
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